[0:31] Part 3: Understanding Cyber Mentality With Katie Arrington
Rachael: We're back for part three. This is our first.
Petko: This is the final part of Katie and all the honesty and brutality and just giving us a real feedback on what's going on in the industry. This is what we live for.
Rachael: It really is. Without further ado, let's get to the point.
Katie: You know what the new way the adversary's getting at our stuff, which is kind of funny? They're twisted, but I appreciate their twistedness. There's been this rash when people of interest, those PhDs, those research analysis, those people working on programs, they put them on LinkedIn. They're proud of their job and what they do.
They tweet and they use TikTok, so their adversary knows exactly where they are because we want to tell everybody where we're going. Like, "Oh, I'm going on a business trip this week." They go and look through your rental car because every one of us wants our
Bluetooth enabled on our rental car. People don't ever delete it. When you turn your rental car in, it's like, "Abe's phone, Steve's phone, Maryanne's phone."
The adversary, they love that. At DEFCON, three years ago, they introduced the company that had the iPhone charger. Basically the phone chargers, they were wifi enabled that the moment that you plugged them into your phone, it literally sent all of your data to an unknown IP address. Our adversaries have left these.
Remember when the DOD went through this whole great big thing and you weren't allowed to use a USB drive, you couldn't plug one in? But they think nothing of letting your phone charger in. People, this is electronic warfare. This is zero trust. Once an adversary figures out, they're going to extort it and then we'll close it.
Acknowledging the Problem
Katie: The way we close it is we'll write a policy. We'll argue about it for a good two years. Pray we don't have an administration change, because then the argument starts all over again. Then we'll implement it. Somebody will say it's too hard and ask for exemption, and they'll get it. The whole problem just all over again. It's like we can't stop being stupid.
Do you know we have the Paperwork Reduction Act? This is where the government gets crazy. If it has to do with more than three or more people, you have to officially ask for an exemption to the Paperwork Reduction Act to reduce paperwork.
We can't get out of our own way. I never have been, never will be a politician, I've always been a servant leader. Until people are willing to open up and just say, "Yes, it's broke. Scrap it," we're not doing this anymore. We can't keep trying to put a Bluetooth-enabled MP3 player into a 1920 Dodge. It just ain't going to work.
It's like canes, we cannot retrofit this anymore. We can't do anymore with this. We got to start from scratch because we just can't keep doing this stuff.
At the end, unless we all acknowledge that there's a problem at the same time and are willing to say, "Okay, all of our resources need to go to this because this is our biggest problem."
This is not a dig on people, individuals, it's a state of human condition. People are afraid to say the truth because we have turned into such a vile canceling each other out on everything. I have nothing to lose by telling the truth. They have done everything to ruin my life and I'm still here.
You can't cancel me, try.
Identifying Our Natural Asset
Katie: I've been hit by cars, I've been hit by the bureaucrats, I've been hit by the political machines and I ain't giving it up. We have to keep fighting and you guys have to dig in and be fearless about it. Don't do it for yourself. Do you have kids, Rachael?
Rachael: No, I don't.
Katie: Do you have a dog?
Rachael: I have two dogs, yes. And peacocks.
Petko: I have kids.
Katie: The only natural asset our country has, that one indisputable natural asset that we cannot live without is our youth, our children. Everything else we can rebuild, we can remake, we can figure it out, with kids you can't. If our kids don't have an opportunity to exist in the same, they're never going to have the streetlights coming on anymore.
I'm a '70s kid. I was the last generation that learned critical thinking. We were the last generation that got that. If we don't do the right things with cyber now and teach and ingrain this group about how critical cybersecurity is, they will be slaves, and I use that word, slaves to the technology.
Because AI, Elon Musk, you're saying all the right things right now, brother, about AI. If anybody remembers the movie, and I go back to Hollywood, Will Smith with IRobot, remember the robots made the decision that we were not good? We can do better.
[8:02] Take Control of Technology, or Technology Takes Over You
Rachael: I agree. I don't know if you saw that story too, this is about the wife who says the husband was talking exclusively with the AI robot, and I guess it convinced him that in order to save the climate, he would be better off giving himself to the earth or something like that, and so the fellow committed suicide. Now, I only caught this one little article.
I haven't really dug into it, but I just thought it was an interesting, as we have this conversation. What that path forward looks like, it's very frightening.
Petko: I use that tool often, and I've never had it convince me of things like that. It's informative, but it's not emotional.
Rachael: I don't know how it got to that point or what the name of it was. I'll have to send it to you, but it caused me pause.
Katie: Well, that's because of the level of the discussion. Do you remember 2001 Space Odyssey? Remember HAL, the computer? What did HAL say at the end? “Bye-bye.” The human race will never not not be there, we're just going to take it out. People forget that. That's why we keep going. Hollywood keeps telling us this.
How do they know? You remember War Games? Matthew Broderick. There's been so many movies where this whole story has been laid out and the outcome is the same every single time.
If you don't take control of the technology and do the risk reduction strategies, it will take you over. And you get in the car, you put your seatbelt on, you get in front of a computer, you better have MFA. You better make sure it's you logging in and you're looking at the information only you want to see.
The Adversarial Influence
Katie: It's not about trust or your spouse and whatnot. No. Listen, I'm married to a wonderful man. I don't want to know his passwords to his phones. Now in our house, I will tell you, in a safe, there is a bag in a safe. He's married to the former CISO. I call it the blue bag. We are very good about changing our passwords, but it's all in a safe when we do it, and we don't tell each other.
I don't want to know. In the event of my death, I'll go to the safe. He can go to the safe or I can go to the safe.
I trust my husband implicitly, but I don't give him that because it was for me, for my eyes only, for me. That's all. You have to look at that, that your company, the way you operate, why an MFA is so critically important is because can you trust that your employee, when they go home, that who they're married to is going to have the same care and concern or who their partner is or who they live with or their children, that there's not some adversarial influence?
Because I will tell you, there is, and they target people who are vulnerable and espionage goes on every day, but it's more of the stuff that you're just not thinking about. Did you leave that top secret diagram on a printer? Sadly happens a lot.
At the end of the day, guys, one thing that we have been given is freedom to make decisions. We can make the decisions. So we have all the tools that we need. Time and/or money will solve all problems.
Cybersecurity Should Be a Culture
Katie: Collectively, your company should be talking at the C-suite level about their stance on cybersecurity. It should be a cultural. When you go out for a CMMC, this is one of the ones I did on my first DIBCAC and they said, "We need the marketing for the company in the meeting as well," and people were like, "Why?"
And they're like, "Well, when you put stuff on the website and your social media, that's an exposure." People don't realize that.
When you say, "We've won this contract," you've gone and made this press release. The adversary knows you've won that contract. They're very interested in it, and they also know where you're located and what you do and who your employees are. And by the way, two of your employees are on Facebook complaining about where they work at, so they're going to target those guys.
It's all there. It's not hard, it's just a new way of thinking about doing business, and we can do this. We're better than this. I am all on with we can do this.
We just have to dig our feet in and I'm going to say to everybody listening, don't wait for the government to tell you to get it done. When the government makes the rule and the rule will go through, it will be longer than anticipated, there'll be a long line of people waiting to get in. Do it now.
Even if you don't get a certificate that says you're CMMC, call the cyber AB, get somebody out to your company, do your risk assessments, find your gaps, work on filling them now. Do not wait.
Risk Is Serious Business
Katie: The day I started in the Pentagon, it was 2030. 2030 was written on every room I walked around in the Pentagon because that's when we were going to go to war with Taiwan. That was the estimate. It is now 2024. They are no longer discussing 2030. They are no longer discussing 2025. It is '24.
Why? It's a US election year and we will be paying attention to that.
The adversary has done a lot while we've been busy talking about other things that are unimportant. To companies, I own my own, my company is Little Dynamite Innovations (LD). I have no problem blowing stuff up. In the rebuilding after a volcano erupts, the destruction is massive but the amount of nutrient-rich soil for new force to grow upon is there. We got to blow it up.
We've got to just say the only way to succeed in getting this is everybody's got to focus in and understand that we're all connected one way or another through the network. Are you willing to take the risk of somebody in business who isn't taking it seriously? That means they're not taking your business seriously.
Do it now, and don't wait, and it does matter. It's going to make you more desirable.
I talked about the consortia that we're creating. What we are doing now is the primes are illuminating their supply chains and they're getting COTS, Commercial Off The Shelf software, that are giving risk scores, and they're basing those risk scores and their compilation of all these things I've talked about, Twitter and Facebook and all this, and they're deciding whether they want to do business with you or not, and one of those big ones is cyber.
[16:13] The Cyber Insurance
Katie: They're basing it right now off of security scorecard, et cetera. I wanted it to be off the CMMC, but don't think that that isn't a criteria and that that's going to be part of winning work. You're going to, you got to get on it.
Petko: Katie, how much is that of them being proactive versus them trying to buy cyber insurance? Because to buy cyber insurance at the large business level, the insurance companies are requiring you to run that on all your supply chain.
Katie: I'm involved in a lot of that right now that's going on. The cyber insurance, by the by, will not underwrite a nation-state attack. First and foremost, you have to understand, when Lloyd's of London did that, that was a game changer. They're not going to insure it.
The SolarWinds attack was by a nation-state, nobody was insured. So the cyber insurance, the CMMC was supposed to help with getting the actuary tables.
If you were CMMC, you should get a lower rate. You get a lower rate just like car insurance. But because the DOD has dragged their feet so long, and I say this, they dragged their feet. They should never have taken the pause. They should never have let bureaucrats in the building interfere with the model that industry and academia created.
People forget that that was industry, academia, and the government worked together to create a maturity model because they all believed it was the best thing to do.
Don’t Wait for Government
Katie: You had literally Jesse Salazar, all his fault, stopped. I got put on administrative leave after I started arguing with the Tiger team. It was a bunch of people in the building who had never worked in industry, had never done anything in an environment. We’re talking about what they felt was the most compelling.
You don't have the people that are actually doing it in the room, in the conversation.
The biggest failure the DOD ever had was they took a perfectly decent model that had a lot of work to be done on it, but man, it was a collaborative effort over a year and a half of industry and academia and government volunteering to create it, and this is what they all agreed on.
And then four people in DOD, one was an SES, the others were highly qualified experts that they brought in who had never worked in industry, made the decision.
Then what really kills me, what really gets to me, and if your people on the podcast listen, the deputy assistant, the Deputy SECdef right now, Dr. Hicks, wrote the Gray Zone and she let them put a pause on the CMMC. The Gray Zone is probably one of the most truly real discussion papers on how China is going to go about taking this country.
The end of this conversation is don't wait for the government. Do it because it's the thing that you need to do to secure your business. You need to secure your employees. You need to secure and make yourself a better business partner, or you won't be around in five years. Plain and simple. Five years from now, you won't be around.
Adapting to Changes in Technology
Katie: It's the same analogy I'll give. The small mom-and-pop fast food places can't compete with the McDonald's of the world. Why? Because McDonald's isn't paying $15 an hour for people to take orders anymore. They're using a computer screen that you walk in and you tell your order to. The technology has changed.
Either those small businesses will get a system in theirs and the industry will create it. They can get their own. Everybody's started using the QR codes to look at the map and order online. They'll either acquiesce to the new way of doing business or they won't be in business.
Same thing with this. You're either going to acquiesce and you're going to get certified, or you ain't going to be there, plain and simple. You are no different.
There's goodness in it. There's goodness in everything. But I will say, the NIST 171 will change because electronic warfare will change. This is why I didn't ever want it to be a rule, I never wanted this. When they first did the rule, I always thought, because it takes so much to change a rule, I only wanted it to be in sections L and M in contracts.
I wanted to clearly describe the technical requirement that I need at this maturity level and the rationale why. How I would rate it? You're either this level or this level. We've watched 171 Bravo turn into 172, and that was levels four and five of the old CMMC model.
Now we have the new cybersecurity framework, and we have software bill of material.
The Further You Wait, the Further Behind You Are
Katie: Just remember, it's going to be changing. Don't ever feel that you're at a good spot in cyber because you will never be at a good spot in cyber. There's always going to be something that you need to do because that's electronic warfare. As one thing changes, you create it and you develop a piece of software or you bring a new piece of software into your environment, it's going to break something else.
But if you don't have that mindset, that cultural mindset around this, you'll never be in the game. So you have to understand that even though you get your CMMC certification or your NIST 171 today, you're not tomorrow. It's a constant state of evolution. That's just the way the world is now.
Don't wait. The further that you wait, the further behind you are, and you can't make up that. Your business just will not do it. And you've got to stay up just like everything else.
You got to stay at the latest and the greatest, and as cyber's the thing that's going to, the easiest way that I've talked ad nauseum to folks that the next war, well, the war that started, and people don't want to admit, we're at war, we've been at war, was in a non-kinetic fashion. Colonial pipeline.
The FAA NOTAM system, the rail cars. We're at war. They just don't want to say it because they don't want to freak us out. What are they going after next? And I pray my doomsday one of the peacemaker in. But we've just got to change our mentality to just, it's got to have, your ethos needs to be, I'm doing the best to reduce the risk.
[23:39] The Greatest Weapon
Katie: I'll end this podcast on this note. America became the greatest country this planet has ever seen because we understood the failures of other governments prior to us. We wrote the Constitution, which was a risk reduction strategy to keep government out of our lives. We opened up the art of the possible, what we're capable of doing.
There was no constraint. In that, the risk reductions in knowing the failures of others and the opportunity being limitless.
In that delta is how America became the greatest country on this planet. Unless we continue with that same mindset, we won't be. So let's stay there. The constitution's risk reduction strategies, keep the governmental out of your life so you can live to your best potential. You and the sky is the limit on innovation. Go for it.
That's why everybody wants us, that's why they use law fair against us.
This is the adversary. Our constitution and our laws are the adversary's greatest weapon. They're using it against us. Let's turn the table on them. One team, one fight. If you're in the dib, the team that you're fighting for in that service, man or woman, that has volunteered their life, signed papers, said, "I will go, I will lay down my life to defend democracy."
If they're willing to sign their life up, don't you think the least that you can do is to make sure that your system is as secure as possible? So that when they go to pull the trigger or they go to execute the mission, it actually works.
You Are Part of the Weapon System
Katie: That's what your job is, ultimately. You may not think it. You may think, "I'm the grand, I'm the big, I just work here at this company," but ultimately, you're a part of a weapon system that is built to defend democracy. And to protect that man or a woman sitting behind that gun, that computer screen, et cetera. It doesn't work for them.
They're the thing that's holding, I hate to use the Jack Nicholson. You don't want to know what I have to do to keep you safe. So do it right. Just do it right. And with that, I'll stop talking.
Rachael: This has been great. I love this conversation, Katie. We have to have more of these conversations because people just aren't thinking about it for whatever reason, or they just don't want to think about it. The more we have these conversations and get it out there and amplify it, I think it does get more people coming around to the reckoning. It takes every one of us to do our part.
Katie: I say it's that reckoning of this where we are. Understanding it, and the fact that people get on podcasts or they get on, they do an interview and they want to talk about, "Oh, I've come up with this." No, there's no easy solution to this. This is very hard and very complicated because we've ignored it for 40-plus years.
I'm sure it was very difficult and complicated to build the pyramids. I'm very sure it was very complicated and took a lot of effort to get the first man on the moon. Yes, I really do believe a man was on the moon. We can do this.
Right Money and Right Resources
Katie: Like I said, time and/or money will solve any problem. We just need to put the right money and the right resources. Ask Katie, I've got an opinion about everything. I'm an opinionated lady, and we all have them. We have to listen to each other and figure out ways. There have been some really insightful thoughts about why we should go back to the NIST 53. But I can't go back in time and undo history. It's a rule. It's the rule debate.
The reason why Obama said non-federal systems is because federal systems and non-federal systems are a little bit different. There is a reason for it. Let's just get through and get done what we need to get done. If anybody needs help, if you got hit with ransomware or your company has, you know as an IT person or a cyber person, you're seeing something on a network. See something, say something.
If your supply chain's getting hit, and incentivizing people for incident, I get it. That's being reactive, not proactive. How about being proactive of, "Hey, listen, I haven't had anything bad happen." What I really hope the CMMC would be able to do is we'd be able to use the auditors as a way to communicate en masse to all of the businesses within the dib. It's really hard to get information out.
People think it's easy, but it's really not. When you have people in manufacturing who are working every single day, they're not paying attention to LinkedIn and they're not paying attention to, when they go to a conference, they're going to run their booth. They're not there to develop new business. They're not looking for the new regulation requirement or what patch needs to be done today.
Share the Risk
Katie: That's why I thought the CMMC auditors would be the greatest fiduciary responsibility. You've given them a certification. You're responsible to make sure they get the information. That was the whole point of it. I hope that we figure that out and that we understand that risk is not a bad four letter word.
When there's risk, we should share it. If you're seeing something, loud and proud, cry wolf all day long. I'd rather you cry wolf than say nothing at all.
Rachael: It's just scratching the surface. There's so much to dig into and not enough folks are talking about a lot of these.
Katie: So much of it from TikTok to why you should make sure that your employees understand that when they rent a car and they use their phone, make sure you delete your Bluetooth profile. Don't leave your laptop open. The worst defense I saw in the company, they actually taped the password to the laptop.
I found it in the airport and called the CEO of the company. This is not a small company, they are a Fortune 100 company. I happened to know the CEO, I called and said, "Hey, I have this laptop, I have the password. Is this policy?" It was their policy to keep your password if anybody needed it. I'm like, "You got to know that's bad, right?"
They changed their policy. I've seen everything where you realize, and you think about that. You left your cell phone behind, now we can track them. We can see where the adversary's taken them. We can knock on the door once they get the information they want out of it.
Thank you all so much. I hope you have a wonderful day, and thank you for the opportunity.
About Our Guest
Katherine “Katie” Arrington is a former member of the Senior Executive Serves and served as the Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). In this position, she served as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment. (OUSD(A&S)) to align acquisition and sustainment cyber strategy and efforts to enhance cyber security within the Defense Industrial Base.
She led efforts that help ensure a secure Defense Supply Chain through the implementation of Trusted Capital vendors and Supply Chain Risk Management principles, enhanced defense industrial Base security and resilience, and establish a common cyber security standard within Departmental acquisition efforts. She also spearhead the CMMC program and served as an information security officer in the U.S. Department of Defense during the Trump Administration.
Katie Arrington was also the state representative for South Carolina’s 94th district from 2016 to 2018, briefly serving with Mace. Prior to entering politics, Arrington worked in defense contracting and real estate development. She is currently the owner of LD Innovations, LLC Cybersecurity. Arrington continues to use her platform to advocate for proper national security measures and inform the public on critical news. She attended Canisius College and Walden University.